Health Breach Notification Rule, 42962-42985 [E9-20142]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 74, Number 163 (Tuesday, August 25, 2009)]
[Rules and Regulations]
[Pages 42962-42985]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-20142]



[[Page 42961]]

-----------------------------------------------------------------------

Part II





Federal Trade Commission





-----------------------------------------------------------------------



16 CFR Part 318



Health Breach Notification Rule; Final Rule

Federal Register / Vol. 74, No. 163 / Tuesday, August 25, 2009 / 
Rules and Regulations

[[Page 42962]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 318

[RIN 3084-AB17]


Health Breach Notification Rule

AGENCY: Federal Trade Commission (FTC).

ACTION: Final Rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
issuing this final rule, as required by the American Recovery and 
Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act''). The 
rule requires vendors of personal health records and related entities 
to notify consumers when the security of their individually 
identifiable health information has been breached.

DATES: This rule is effective September 24, 2009. Full compliance is 
required by February 22, 2010.

ADDRESSES: Requests for copies of the Final Rule and this Notice should 
be sent to: Public Records Branch, Room 130, Federal Trade Commission, 
600 Pennsylvania Avenue, N.W., Washington, DC 20580. The public record 
of this proceeding is also available at that address. Relevant portions 
of the proceeding, including the Final Rule and this Notice, are 
available at http//www.ftc.gov.

FOR FURTHER INFORMATION CONTACT: Cora Tung Han or Maneesha Mithal, 
Attorneys, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue, 
NW., Washington, DC 20580, (202) 326-2252.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Overview of the Recovery Act, Proposed Rule, and Comments 
Received
III. Section-By-Section Analysis of the Rule
IV. Paperwork Reduction Act
V. Regulatory Flexibility Act
VI. Final Rule

I. Background

    On February 17, 2009, President Obama signed the American Recovery 
and Reinvestment Act of 2009 (the ``Recovery Act'' or ``the Act'') into 
law.\1\ The Act includes provisions to advance the use of health 
information technology and, at the same time, strengthen privacy and 
security protections for health information.
---------------------------------------------------------------------------

    \1\ American Recovery & Reinvestment Act of 2009, Pub. L. No. 
111-5, 123 Stat. 115 (2009).
---------------------------------------------------------------------------

    Among other things, the Recovery Act recognizes that there are new 
types of web-based entities that collect consumers' health information. 
These entities include vendors of personal health records and online 
applications that interact with such personal health records 
(``PHRs'').\2\ Some of these entities are not subject to the existing 
privacy and security requirements of the Health Insurance Portability 
and Accountability Act (``HIPAA'').\3\ For such entities, the Recovery 
Act requires the Department of Health and Human Services (``HHS'') to 
study, in consultation with the FTC, potential privacy, security, and 
breach notification requirements and to submit a report to Congress 
containing recommendations within one year of enactment of the Recovery 
Act (the ``HHS report''). Until Congress enacts new legislation 
implementing such recommendations, the Recovery Act contains temporary 
requirements, to be enforced by the FTC, that such entities notify 
individuals in the event of a security breach. The final rule 
implements these requirements.
---------------------------------------------------------------------------

    \2\ In general, personal health records are online repositories 
of health information that individuals can create to track their 
medical visits, prescription information, etc. The terms ``vendor of 
personal health records'' and ``personal health records'' are 
defined terms in the FTC's rule; thus, in some instances, the term 
``personal health record'' is not abbreviated.
    \3\ Health Insurance Portability & Accountability Act, Pub. L. 
No. 104-191, 110 Stat. 1936 (1996).
---------------------------------------------------------------------------

    The Recovery Act also directs HHS to promulgate a rule requiring 
(1) HIPAA-covered entities, such as hospitals, doctors' offices, and 
health insurance plans, to notify individuals in the event of a 
security breach and (2) business associates of HIPAA-covered entities 
to notify such HIPAA-covered entities in the event of a security 
breach.\4\ HIPAA-covered entities and entities that engage in 
activities as business associates of HIPAA-covered entities will be 
subject only to HHS' rule and not the FTC's rule, as explained further 
below.
---------------------------------------------------------------------------

    \4\ The Recovery Act requires HHS to issue its rule within 180 
days of enactment of the Recovery Act. Sec. 13402(j).
---------------------------------------------------------------------------

II. Overview of the Recovery Act, Proposed Rule, and Comments Received

    The Recovery Act requires ``vendors of personal health records'' 
and ``PHR related entities,'' as defined below, to notify their 
customers of any breach of unsecured, individually identifiable health 
information. Further, a third party service provider of such vendors or 
entities that experiences a breach must notify such vendors or entities 
of the breach, so that they can in turn notify their customers. The Act 
contains specific requirements governing the timing, method, and 
contents of the breach notice to consumers. For example, it requires 
entities to provide breach notices ``without unreasonable delay,'' and 
in no case later than 60 calendar days after discovering a breach; it 
requires notice to consumers by first-class mail or, if specified as a 
preference by the individual, by email; and it requires substitute 
notice, through the media or a web posting, if there is insufficient 
contact information for ten or more individuals. In addition, the Act 
requires the FTC to adopt a rule implementing the breach notification 
requirements applicable to vendors of personal health records, PHR 
related entities, and third party service providers within 180 days of 
enactment of the Act. It also authorizes the FTC to seek civil 
penalties for violations.
    The Recovery Act contains a similar scheme for HIPAA-covered 
entities, to be enforced by HHS. HIPAA-covered entities must notify 
individuals whose ``unsecured protected health information'' is 
breached. If a business associate of a HIPAA-covered entity experiences 
a security breach, it must notify the HIPAA-covered entity, which must 
in turn notify individuals.
    To fulfill the Recovery Act requirements, on April 20, 2009, the 
Commission issued a Notice of Proposed Rulemaking (``NPRM''). The 
proposed rule contained in the NPRM adhered closely to the requirements 
of the Recovery Act.\5\ The Commission received approximately 130 
comments.\6\ Some general comments are summarized below, and an 
analysis of comments addressing particular sections of the proposed 
rule follows.
---------------------------------------------------------------------------

    \5\ 74 FR 17,914.
    \6\ Comments are available at (https://www.ftc.gov/os/comments/healthinfobreach/index.shtm). The Commission also reviewed the 
comments HHS received in response to its Request for Information on 
its forthcoming breach notification rule. 74 FR 19,006. However, the 
specific comments addressed in this Notice are those that were filed 
in response to the FTC's NPRM.
---------------------------------------------------------------------------

    First, commenters that addressed the issue generally agreed that 
FTC and HHS should work together to ensure that their respective breach 
notification rules are harmonized and that stakeholders know which rule 
applies to which entity.\7\ Some of these commenters recognized that 
some entities that operate in different roles may be subject to both 
rules, and that

[[Page 42963]]

it is therefore important for the rules to be similar.\8\ The 
Commission agrees and has consulted with HHS to harmonize the two 
rules, within the constraints of the statutory language. Further, as 
explained below, for some entities subject to both the HHS and FTC 
rules, compliance with certain HHS rule requirements shall be deemed 
compliance with the corresponding provisions of the FTC's rule.
---------------------------------------------------------------------------

    \7\ See, e.g., American Council of Life Insurers (``ACLI'') at 
1; American Benefits Council (``ABC'') at 2; American Insurance 
Association (``AIA'') at 1; Center for Democracy & Technology, 
Markle Foundation, Childbirth Connection, Health Care for All, 
National Partnership for Women & Families, SEIU (hereinafter ``CDT/
Markle'') at 4-5; Dossia at 5; HealthITNow.org at 1-2; National 
Association of Chain Drug Stores (``NACDS'') at 4; WebMD at 3.
    \8\ See, e.g., HealthITNow.org at 2; WebMD at 3.
---------------------------------------------------------------------------

    A second and related point that many commenters raised was that, to 
the extent possible, consumers should receive a single notice for a 
single breach.\9\ These commenters pointed out that receiving multiple 
notices for the same breach would confuse consumers and convey an 
exaggerated sense of risk.\10\ Receiving a barrage of notices also 
could cause consumers to become numb to such notices, so that they may 
fail to spot or mitigate the risks being communicated to them.\11\ Some 
commenters noted that consumers could receive multiple notices because 
of inadvertently overlapping requirements between HHS and FTC 
rules.\12\ As described below, the Commission has taken steps to ensure 
that its rule does not overlap with HHS' and that consumers do not 
receive multiple notifications.
---------------------------------------------------------------------------

    \9\ See, e.g., American Legislative Exchange Council (``ALEC'') 
at 6; HealthITNow.org at 2; Software Information Industry 
Association (``SIIA'') at 3; Statewide Parent Advocacy Network, Inc. 
at 1; United Health Group (``UHG'') at 2.
    \10\ See, e.g., ALEC at 7; HealthITNow.org at 2.
    \11\ See, e.g., Blue Cross/Blue Shield at 4; SIIA at 6-7.
    \12\ See, e.g., American Health Information Management 
Association (``AHIMA'') at 2; American Medical Association (``AMA'') 
at 2.
---------------------------------------------------------------------------

    Third, several commenters raised privacy and security concerns 
about PHRs generally.\13\ For example, one commenter asked the FTC to 
establish comprehensive privacy and security standards, and supported 
the creation of a private right of action for a violation of these 
standards.\14\ The Commission notes that, although general privacy and 
security issues are beyond the scope of the current rulemaking, the 
Commission will take these comments into account when it provides input 
on the HHS report described above.
---------------------------------------------------------------------------

    \13\ See, e.g., Electronic Privacy Information Center (``EPIC'') 
at 11; Flagler, Hoerl, Hosler.
    \14\ EPIC at 11.
---------------------------------------------------------------------------

    Fourth, several individual commenters expressed concerns about 
electronic health records in general.\15\ Some of these commenters 
questioned the cost-savings that would result;\16\ others strongly 
supported patients' right to opt out of such records.\17\ In response, 
the Commission notes that this rule addresses only breach notification 
with respect to PHRs voluntarily created by individuals; it does not 
address electronic health records more generally, such as those created 
for patients by hospitals or doctors' offices.\18\
---------------------------------------------------------------------------

    \15\ See, e.g., Blair, Coon, Flagler.
    \16\ See, e.g., Jones-Ford, Rogalski, Serich,
    \17\ See, e.g., Amidei, Baxter, Blair, Coon.
    \18\ Section 13400(5) of the Recovery Act defines ``electronic 
health record'' as an electronic record of health-related 
information on an individual that is ``created, gathered, managed, 
and consulted by authorized health care clinicians and staff.'' In 
contrast, section 13400(11) defines ``personal health record'' as an 
electronic record ``on an individual that can be drawn from multiple 
sources and that is managed, shared, and controlled by or primarily 
for the individual.''
---------------------------------------------------------------------------

    Finally, many commenters expressed concerns about particular 
statutory requirements governing breach notification. For example, some 
commenters stated that entities should be required to provide breach 
notification for paper, as well as electronic, information;\19\ others 
expressed concerns about requiring media notice.\20\ Because these 
requirements come directly from the language of the Recovery Act, the 
Commission cannot change its final rule in response to these comments. 
Nevertheless, the Commission will take these comments into account when 
it provides input on the HHS report.
---------------------------------------------------------------------------

    \19\ See, e.g., IDExperts at 1-2; National Association for 
Information Destruction (``NAID'') at 3-4, Ohio State University 
Medical Center at 1, Statewide Parent Advocacy Network, Inc. at 2.
    \20\ See, e.g., IDExperts at 2-3; Identity Theft 911 at 3.
---------------------------------------------------------------------------

III. Section-by-Section Analysis

Section 318.1: Purpose and Scope

    Proposed section 318.1 set forth the relevant statutory authority 
for the proposed rule; stated that the proposed rule would apply to 
vendors of personal health records, PHR related entities, and third 
party service providers; and clarified that the proposed rule would not 
apply to HIPAA-covered entities or to an entity's activities as a 
business associate of a HIPAA-covered entity. The Commission received 
several comments on this section as follows.
A. Application of Rule to Non-Profits and Other Entities Beyond the 
FTC's Traditional Jurisdiction
    In its NPRM, the Commission noted that the proposed rule applied to 
entities beyond the FTC's traditional jurisdiction under section 5 of 
the FTC Act, such as non-profits (e.g., educational institutions, 
charities, and 501(c)(3) organizations), because the Recovery Act does 
not limit the FTC's enforcement authority to its enforcement 
jurisdiction under section 5. Indeed, section 13407 of the Recovery Act 
expressly applies to ``vendors of personal health records and other 
non-HIPAA covered entities,'' without regard to whether such entities 
fall within the FTC's jurisdiction under section 5.
    The Commission received several comments in support of this 
requirement. One commenter stated that it was reasonable for the FTC's 
rule to apply to non-profits.\21\ Another commenter suggested applying 
the rule to as broad a range of entities as possible.\22\ Yet another 
commenter stated that the rule should apply to all entities that handle 
PHRs.\23\ Thus, the Commission retains its interpretation and modifies 
the proposed rule to clarify that it applies to vendors of personal 
health records and PHR related entities, ``irrespective of any 
jurisdictional tests in the Federal Trade Commission Act.''\24\
---------------------------------------------------------------------------

    \21\ CDT/Markle at 14-15.
    \22\ IDExperts at 1.
    \23\ See, e.g., EPIC at 3.
    \24\ The rule will not apply to federal agencies. The Commission 
notes that federal agencies already follow breach reporting 
requirements established by the Office of Management and Budget 
(``OMB''). See OMB Memorandum for the Heads of Executive Departments 
and Agencies re Safeguarding Against and Responding to the Breach of 
Personally Identifiable Information, May 22, 2007, available at 
(https://www.whitehouse.gov/OMB/memoranda/fy2007/m07-16.pdf).
---------------------------------------------------------------------------

B. Application of the FTC's Rule to HIPAA-Covered Entities and Business 
Associates of HIPAA-Covered Entities
    As noted above, the Commission received many comments about the 
need to harmonize the HHS and FTC rules to simplify compliance burdens 
and create a level-playing field for HIPAA and non-HIPAA covered 
entities.\25\ Several commenters agreed with the statements in the 
FTC's NPRM that (1) HIPAA-covered entities should be subject to HHS' 
breach notification rule and not the FTC's rule; and (2) business 
associates of HIPAA-covered entities should be subject to HHS' breach 
notification rule, but only to the extent they are acting as business 
associates.\26\ Accordingly, the FTC adopts as final the provision that 
the rule ``does not apply to HIPAA-covered entities, or to any other 
entity to the extent that it engages in activities as a business 
associate of a HIPAA-covered entity,'' but provides further guidance in 
response to specific comments received on the issue.
---------------------------------------------------------------------------

    \25\ See supra note 7.
    \26\ See, e.g., Dossia at 5; UHG at 2; WebMD at 2.

---------------------------------------------------------------------------

[[Page 42964]]

1. Application of the FTC's Rule to HIPAA-Covered Entities
    Although the FTC's proposed rule made clear that it did not apply 
to HIPAA-covered entities, one medical association urged the Commission 
to exclude doctors explicitly from the FTC rule, even if they are 
involved with PHRs.\27\ The Commission agrees that, because health care 
providers such as doctors are generally HIPAA-covered entities, the 
FTC's rule does not apply to them in such capacity. Thus, if a doctor's 
medical practice offers PHRs to its patients, neither the doctor nor 
the medical practice is subject to the FTC's rule.\28\ However, if the 
doctor creates a PHR in a personal capacity, there may be circumstances 
under which the FTC's rule would apply. For example, a non-practicing 
doctor may create and offer PHRs to the public as part of a start-up 
business venture. In this circumstance, the doctor is not acting in his 
or her capacity as a HIPAA-covered entity, and thus, the FTC's rule 
would regulate the PHRs.
---------------------------------------------------------------------------

    \27\ American Medical Association at 1-2.
    \28\ Some doctors or other health care providers, however, may 
not be HIPAA-covered entities because they do not participate in 
``covered transactions'' under HIPAA regulations, such as submitting 
health care claims to a health plan. See 45 CFR 160.103. In such 
cases, these doctors or health care providers are subject to the 
FTC's rule if they offer PHRs or related services. Similarly, some 
commenters asked whether the FTC's rule applies to education records 
covered by the Family Educational Rights and Privacy Act 
(``FERPA''), 20 U.S.C. 1232g (i.e., records of educational 
institutions such as public schools and universities). See Ohio 
State University Medical Center at 1; Statewide Parent Advocacy 
Network at 3-4. If school nurses or physicians' offices within these 
institutions are not HIPAA-covered entities, they are subject to the 
FTC's rule if they offer PHRs or related services.
---------------------------------------------------------------------------

    In addition, one commenter asked whether the FTC's rule would cover 
PHRs that a HIPAA-covered entity offers to its employees.\29\ Because 
the FTC's rule does not apply to HIPAA-covered entities, it does not 
apply to PHRs that such entities offer their employees. However, if a 
HIPAA-covered health care provider or group health plan offers PHRs to 
employees because they also are patients of such health care provider 
or enrollees of such group health plan, then HHS' rule would apply to 
the PHRs.
---------------------------------------------------------------------------

    \29\ Ohio State University Medical Center at 1.
---------------------------------------------------------------------------

2. Application of the FTC's Rule to Business Associates of HIPAA-
Covered Entities
    In its NPRM, the Commission recognized that, in many cases, 
business associates of HIPAA-covered entities that also offer PHRs to 
the public could be subject to both the HHS and FTC breach notification 
rules. If they experience a breach, they could be required to provide 
direct breach notification to their individual customers under the 
FTC's rule. At the same time, under HHS' rule, they could be required 
to notify HIPAA-covered entities to whom they provide services, so that 
the HIPAA-covered entities could in turn notify individuals. In some 
cases, as discussed further below, this potential overlap could lead to 
consumers' receiving multiple notices for the same breach.
    The Commission asked for examples of vendors of personal health 
records that may have a dual role as a business associate of a HIPAA-
covered entity and as a direct provider of PHRs to the public, and how 
the rule should address such a dual role. Commenters provided several 
useful examples,\30\ all of which the Commission believes can be 
addressed within the framework provided in the rule. Most commenters 
that addressed the issue stated, and the Commission agrees, that 
regardless of the circumstances, consumers should receive a single 
breach notice for a single breach.\31\ In addition, the Commission 
agrees with the commenters that stated that the breach notice should 
come from the entity with whom the consumer has a direct 
relationship.\32\ Indeed, the Commission believes that consumers are 
more likely to pay attention to a notice provided by an entity known to 
the consumer, and that consumers may ignore or discard notices provided 
by unknown entities.\33\
---------------------------------------------------------------------------

    \30\ See, e.g., Dossia at 2-3; UHG at 3; WebMD at 3.
    \31\ See supra note 9.
    \32\ See, e.g., CDT/Markle at 12; Dossia at 5.
    \33\ See, e.g., Statement of Basis and Purpose, Affiliate 
Marketing Rule, 72 FR 62910 (Nov. 7, 2007) (requiring that opt-out 
notices come from entity with whom the consumer has a relationship).
---------------------------------------------------------------------------

    For these reasons, it may be desirable in some circumstances for a 
vendor of personal health records to provide notice directly to 
consumers even when the vendor is serving as a business associate of a 
HIPAA-covered entity. For example, a consumer that obtained a PHR 
through a HIPAA-covered entity may nevertheless deal directly with the 
PHR vendor in managing his or her PHR account, and would expect any 
breach notice to come from the PHR vendor. Similarly, where a vendor of 
personal health records has direct customers and thus is subject to the 
FTC's rule, and also provides PHRs to customers of a HIPAA-covered 
entity through a business associate arrangement, it may be appropriate 
for the vendor to provide the same notice to all such customers. In the 
latter situation, the Commission believes that the vendor of personal 
health records should be able to comply with one set of rule 
requirements--those promulgated by HHS--governing the timing, method, 
and content of notice to consumers. Thus, in those limited 
circumstances where a vendor of personal health records (1) provides 
notice to individuals on behalf of a HIPAA-covered entity, (2) has 
dealt directly with these individuals in managing the PHR account, and 
(3) provides such notice at the same time that it provides an FTC-
mandated notice to its direct customers for the same breach, the FTC 
will deem compliance with HHS requirements governing the timing, 
method, and content of notice to be compliance with the corresponding 
FTC rule provisions.\34\
---------------------------------------------------------------------------

    \34\ For direct customers, the vendor of personal health records 
still must comply with all other FTC rule requirements, including 
the requirement to notify the FTC within ten business days after 
discovering the breach. The Commission notes also that the above 
analysis would apply equally to a PHR related entity, as defined 
below, that deals directly with the public and acts as a business 
associate in providing services.
---------------------------------------------------------------------------

    Based on the comments received, the Commission has developed the 
following examples to illustrate situations of dual or overlapping 
coverage under the FTC and HHS rules.
a. Example 1: Vendor with a Dual Role as Business Associate and 
Provider of PHRs to the Public
    PHR Vendor provides PHRs to the public through its own Web site. 
PHR Vendor also signs a business associate agreement with ABC Insurance 
(a HIPAA-covered entity) to offer PHRs to customers of ABC Insurance. 
ABC Insurance sends a message to its customers offering free PHRs 
through PHR Vendor and provides a link to PHR Vendor's Web site. 
Several patients of ABC Insurance choose to create PHRs through PHR 
Vendor. A hacker remotely copies the PHRs of all of PHR Vendor's users.
    Under the FTC's rule, PHR Vendor is a vendor of personal health 
records that must provide breach notice to members of the public to 
whom it offers PHRs directly. It is not acting as a business associate 
to anyone in providing these PHRs. However, because it is acting as a 
business associate to ABC Insurance by providing PHRs for ABC 
Insurance's patients, it is not required to provide direct notice to 
ABC Insurance's customers under the FTC's rule. Rather, under the 
Recovery Act, in its capacity as a business associate, it must notify 
ABC Insurance so that ABC Insurance can in turn notify its customers.
    PHR Vendor therefore must maintain a list of its own customers and 
a

[[Page 42965]]

separate list of ABC Insurance's customers so that it can fulfill its 
obligations under the Recovery Act to provide notice to its own 
customers, as well as a separate notice to ABC Insurance. If PHR Vendor 
has similar business associate agreements with other entities, it must 
maintain separate customer lists for each such entity.
    In this example, however, because PHR Vendor has a direct 
relationship with all of the individuals affected by the breach 
(including the patients of ABC Insurance), PHR Vendor may contract with 
ABC Insurance to notify individuals on ABC Insurance's behalf.\35\ The 
Commission encourages such contractual arrangements because they would 
(1) satisfy both PHR Vendor's and ABC Insurance's obligation to notify 
individuals; (2) ensure that consumers receive a single notice from an 
entity with whom they have a direct relationship; and (3) simplify the 
notification process so that PHR Vendor can provide direct notice to 
those affected at the same time.\36\
---------------------------------------------------------------------------

    \35\ PHR Vendor still must comply with the Recovery Act 
requirement to notify ABC Insurance of the breach.
    \36\ As explained above, if PHR Vendor were to send individual 
notices on behalf of ABC Insurance, it could send all of its breach 
notices, including notices to its direct customers, in accordance 
with HHS rules requirements governing the timing, method, and 
content of notice.
---------------------------------------------------------------------------

b. Example 2: Addressing Portable PHRs
    As in Example 1, PHR Vendor offers PHRs directly to the public. It 
also offers PHRs to enrollees of various health insurance companies, 
including ABC Insurance and XYZ Insurance, through business associate 
agreements with those companies. Sally is a patient of ABC Insurance. 
ABC Insurance offers Sally the use of PHR Vendor's product, and Sally 
creates her PHR. Years later, Sally moves, changes jobs, switches to 
XYZ Insurance, and keeps her PHR with PHR Vendor. If PHR Vendor's 
records are breached at this point, under HHS' rule, PHR Vendor, as a 
business associate of XYZ Insurance, must notify XYZ Insurance that 
Sally's record has been breached, and XYZ Insurance must provide Sally 
with a breach notice. Alternatively, if Sally had moved to an insurance 
company with whom PHR Vendor did not have a business associate 
agreement, PHR Vendor would not be subject to HHS' rule with respect to 
Sally; it must treat her as its own customer and provide Sally with 
breach notice directly.
    In this scenario, PHR Vendor has an additional obligation to 
address the potential portability of PHRs. To fulfill such obligation, 
PHR Vendor must maintain lists tracking which customers belong to which 
HIPAA-covered entity, and must update such information regularly. 
Without such an updating system, PHR Vendor might keep Sally on its 
list of ABC Insurance's customers, but when Sally leaves ABC Insurance, 
that company may no longer have an obligation to notify her of a 
breach, and she may never receive a notice.\37\ Alternatively, if PHR 
Vendor does not properly update its customer lists, Sally potentially 
could receive up to three notices--one from PHR Vendor, one from ABC 
Insurance, and one from XYZ Insurance.
---------------------------------------------------------------------------

    \37\ PHR Vendor's failure to send Sally a notice in this 
situation would constitute a violation of the FTC's rule.
---------------------------------------------------------------------------

    As in Example 1, the Commission encourages vendors like PHR Vendor 
to include provisions in their business associate agreements stating 
that they will send breach notices on behalf of the entities to whom 
they are providing business associate services. In Example 2, such a 
contractual provision would simplify the notification process; it also 
may help avoid a situation in which consumers like Sally, who may move 
around frequently, receive multiple notices, or even worse, no notice.
c. Example 3: PHRs Offered to Families
    Sally is employed by ABC Widgets, which has a HIPAA-covered group 
health plan. ABC Widgets' group health plan offers PHRs to employees 
and employees' spouses through PHR Vending, a business associate of ABC 
Widgets' group health plan. Sally gets a PHR; her husband John is 
separately insured, but he decides to get a PHR through PHR Vending as 
well. If PHR Vending experiences a breach, Sally may get a notice from 
ABC Widgets' group health plan under HHS' rule, and John must get a 
notice from PHR Vending under the FTC's rule. Alternatively, ABC 
Widgets and PHR Vending may, through their business associate 
agreement, choose to have PHR Vending send breach notices to all 
customers, as explained above.
C. Application of the FTC's Rule to Entities Outside the United States
    One commenter suggested that the Commission clarify whether its 
rule applies to foreign businesses that have U.S. customers.\38\ The 
Commission agrees and has determined that foreign entities with U.S. 
customers must provide breach notification under U.S. laws. 
Accordingly, it adds language to the final rule stating that it 
``applies to foreign and domestic vendors of personal health records, 
PHR related entities, and third party service providers . . . that 
maintain information of U.S. citizens or residents.''
---------------------------------------------------------------------------

    \38\ World Privacy Forum at 1-2.
---------------------------------------------------------------------------

    The Recovery Act supports this interpretation. Section 13407(e) of 
the Act states that a violation of the FTC's breach notification 
provisions ``shall be treated as an unfair and deceptive act or 
practice in violation of a regulation under section 18(a)(1)(B) of the 
Federal Trade Commission Act. . .'' Section 18(a)(1)(B) allows the 
Commission to issue regulations that define ``with specificity acts or 
practices which are unfair or deceptive acts or practices'' under the 
FTC Act.\39\ The term ``unfair or deceptive acts or practices'' is in 
turn defined to include those acts or practices ``in foreign commerce'' 
that ``cause or are likely to cause reasonably foreseeable injury 
within the United States'' or ``involve material conduct occurring 
within the United States.''\40\ Thus, the Recovery Act's references to 
the ``unfair or deceptive acts or practices'' section of the FTC Act, 
which has extraterritorial reach, supports the interpretation that the 
FTC's rule applies to foreign vendors of personal health records, 
related entities, as well as third party service providers, to the 
extent that they deal with U.S. consumers.
---------------------------------------------------------------------------

    \39\ 15 U.S.C. 57a.
    \40\ 15 U.S.C. 45.
---------------------------------------------------------------------------

D. Preemption of State Law
    Several commenters discussed state breach notification requirements 
that could potentially conflict with the FTC's rule requirements.\41\ 
Several of these commenters raised concerns that such conflicting 
requirements could increase compliance burdens on businesses.\42\ Some 
also raised concerns that entities would be required to send consumers 
multiple notices to comply with both state laws and the FTC's rule.\43\
---------------------------------------------------------------------------

    \41\ See, e.g., America's Health Insurance Plans (``AHIP'') at 
7; AIA at 1; Dossia at 10-11; Molina Healthcare at 5-6; NACDS at 3-
4; National Association of Mutual Insurance Companies (``NAMIC'') at 
7-8; SIIA at 2-3; Sonnenschein at 1-2; UHG at 9-12; WebMD at 5-7.
    \42\ See, e.g., AIA at 1; Dossia at 10; Molina Healthcare at 5-
6.
    \43\ See, e.g., AHIP at 8; AIA at 2.
---------------------------------------------------------------------------

    The Commission notes that, under section 13421 of the Recovery Act, 
the preemption standard set forth in section 1178 of the Social 
Security Act, 42 U.S.C. 1320d-7 applies also to the FTC's rule. That 
section, which contains the preemption standard for HIPAA and its 
implementing regulations, states that federal requirements supersede 
any

[[Page 42966]]

contrary provision of State law.\44\ To clarify that the same standard 
applies here, the Commission has added language to the final rule 
stating that, ``[t]his Part preempts state law as set forth in section 
13421 of the American Recovery and Reinvestment Act of 2009.''
---------------------------------------------------------------------------

    \44\ Section 1178 also sets forth some exceptions to this 
standard, none of which applies here. Of most relevance, one 
exception states that federal requirements will not necessarily 
preempt contrary state laws that, ``subject to section 264(c)(2)'' 
of HIPAA, relate to the ``privacy of individually identifiable 
health information.'' Although the FTC's rule relates to ``privacy 
of individually identifiable health information,'' HHS interprets 
this exception as applying only to the HIPAA Privacy Rule, because 
it is the sole regulation promulgated under section 264(c)(2) of 
HIPAA.
---------------------------------------------------------------------------

    The Commission notes that the final rule preempts only contrary 
state laws. Under HHS regulations implementing the preemption standard 
of section 1178 of the Social Security Act, a state law is contrary to 
federal requirements (1) if it would be impossible to comply with both 
state and federal requirements or (2) if state law ``stands as an 
obstacle to the accomplishment and execution of the full purposes and 
objectives'' of the federal requirements.\45\ Under this standard, the 
Commission's rule does not preempt state laws imposing additional, as 
opposed to contradictory, breach notification requirements. For 
example, some State laws require breach notices to include advice on 
monitoring credit reports; others require contact information for 
consumer reporting agencies; yet others require the notice to include 
advice on reporting incidents to law enforcement agencies. Even though 
these content requirements are different from those contained in the 
FTC's rule, entities may comply with both state laws and the FTC rule 
by setting forth all of the information required in a single breach 
notice.\46\ In these circumstances, because it is possible to comply 
with both laws, and the state laws do not thwart the objectives of the 
federal law,\47\ there is no conflict between state and federal law.
---------------------------------------------------------------------------

    \45\ See 45 CFR 160.202.
    \46\ The rule does not require entities to send multiple notices 
to comply with state and federal law.
    \47\ For a discussion of the issue of federal preemption when 
state laws frustrate federal objectives, see Wyeth v. Levine, 129 S. 
Ct. 1187 (2009).
---------------------------------------------------------------------------

Section 318.2: Definitions

(a) Breach of security
    The proposed rule defined ``breach of security'' as the acquisition 
of unsecured PHR identifiable health information\48\ of an individual 
in a personal health record without the authorization of the 
individual.\49\ The Commission adopts this portion of the definition of 
breach of security without modification. Examples of unauthorized 
acquisition include the theft of a laptop containing unsecured PHRs; 
the unauthorized downloading or transfer of such records by an 
employee; and the electronic break-in and remote copying of such 
records by a hacker.
---------------------------------------------------------------------------

    \48\ The phrase ``PHR identifiable health information'' is 
defined below.
    \49\ Several of the rule provisions refer to information ``in a 
personal health record.'' Because a personal health record often 
includes information in transit, as well as stored information, the 
Commission interprets the phrase ``in a personal health record'' to 
include data in motion and data at rest.
---------------------------------------------------------------------------

    The proposed rule also contained a rebuttable presumption for 
unauthorized access to an individual's data: It stated that, when there 
is unauthorized access to data, unauthorized acquisition will be 
presumed unless the entity that experienced the breach ``has reliable 
evidence showing that there has not been, or could not reasonably have 
been, unauthorized acquisition of such information.'' The presumption 
was intended to address the difficulty of determining whether access to 
data (i.e., the opportunity to view the data) did or did not lead to 
acquisition (i.e., the actual viewing or reading of the data). In these 
situations, the Commission stated that the entity that experienced the 
breach is in the best position to determine whether unauthorized 
acquisition has taken place.
    In describing the rebuttable presumption, the Commission provided 
several examples. It noted that no breach of security has occurred if 
an unauthorized employee inadvertently accesses an individual's PHR and 
logs off without reading, using, or disclosing anything. If the 
unauthorized employee read the data and/or shared it, however, he or 
she ``acquired'' the information, thus triggering the notification 
obligation in the rule.
    Similarly, the Commission provided an example of a lost laptop: If 
an entity's employee loses a laptop in a public place, the information 
would be accessible to unauthorized persons, giving rise to a 
presumption that unauthorized acquisition has occurred. The entity can 
rebut this presumption by showing, for example, that the laptop was 
recovered, and that forensic analysis revealed that files were never 
opened, altered, transferred, or otherwise compromised.
    The Commission received numerous comments on the rebuttable 
presumption. Several commenters supported it.\50\ Others stated that 
the standard articulated by the Commission is too broad and instead 
should require breach notification only when there is a risk of 
harm.\51\ Several of these commenters stated that the Commission's 
proposed standard would result in consumers' being inundated with 
breach notices.\52\ In contrast, consumer groups expressed concern that 
the Commission was giving too much discretion to companies, which could 
easily claim that unauthorized access did not give rise to unauthorized 
acquisition.\53\ Several commenters also requested further guidance on 
how the rebuttable presumption would work in specific instances.\54\
---------------------------------------------------------------------------

    \50\ See, e.g., AHIMA at 3; IDExperts at 1; NAID at 2; NAMIC at 
3; Statewide Parent Advocacy Network, Inc., at 2, World Privacy 
Forum at 6-7.
    \51\  See, e.g., AIA at 2, Blue Cross/Blue Shield at 3; National 
Community Pharmacists Association at 2; SIIA at 4-7; UHG at 3-5; 
WebMD at 4.
    \52\  See, e.g., Blue Cross/Blue Shield at 4; SIIA at 6-7.
    \53\ See, e.g., CDT/Markle at 8-9; EPIC at 5.
    \54\ See, e.g., AHIP at 2; IDExperts at 1; Intuit at 2; Molina 
Healthcare at 2.
---------------------------------------------------------------------------

    After considering the comments received, the Commission has decided 
to adopt the rebuttable presumption as part of the definition of breach 
of security, without modification. In response to the comments 
suggesting that the Commission require notification only if there is a 
risk of harm, the Commission notes that its standard does take harm 
into account. Indeed, notification would not be required in a case 
where an entity can show that although an unauthorized employee 
accidentally opened a file, it was not viewed, and therefore there has 
been no harm to the consumer.
    The Commission notes that harm in the context of health information 
may be different from harm in the context of financial information. As 
one commenter stated, ``[w]ith a breach of financial records, a 
consumer faces a significant headache, but ultimately can have their 
credit and funds restored; this is not the case with health records. A 
stigmatizing diagnosis, condition or prescription in the wrong hands 
can cause irreversible damage and discrimination.''\55\ Because health 
information is so sensitive, the Commission believes the standard for 
notification must give companies the appropriate incentive to implement 
policies to safeguard such highly-sensitive information.
---------------------------------------------------------------------------

    \55\ See Patient Privacy Rights at 6.
---------------------------------------------------------------------------

    With respect to commenters' concerns about the possibility of 
consumers' being inundated with breach notifications, the Commission 
believes

[[Page 42967]]

that its standard strikes the right balance. Given the highly personal 
nature of health information, the Commission believes that consumers 
would want to know if such information was read or shared without 
authorization. In addition, the danger of overnotification may be 
overstated. For example, where there has been unauthorized access to a 
database leading to the acquisition of specific consumers' data, a 
vendor or entity need not notify all consumers whose information 
appears in that database; it only needs to notify those specific 
consumers whose data was acquired.
    Nevertheless, the Commission agrees that further guidance would be 
useful to entities in assessing whether unauthorized acquisition has 
taken place as a result of unauthorized access. This further guidance 
should also allay consumer groups' concerns that businesses have too 
much discretion in making this determination. Commenters posed several 
scenarios, which the Commission addresses here.
    First, one commenter noted that companies should not have to delve 
into the state of mind of employees who accessed data to determine 
whether they viewed, read, memorized, or shared such data.\56\ The 
Commission agrees and notes that, in a case of inadvertent access by an 
employee, no breach notification is required if (1) the employee 
follows company policies by reporting such access to his or her 
supervisor and affirming that he or she did not read or share the data, 
and (2) the company conducts a reasonable investigation to corroborate 
the employee's version of events.
---------------------------------------------------------------------------

    \56\ See, e.g., SIIA at 5.
---------------------------------------------------------------------------

    Second, some commenters asked if unauthorized acquisition has taken 
place when a PHR is accessible on the Internet through an obscure Web 
site.\57\ The Commission believes that it would be very difficult to 
overcome the presumption that unauthorized acquisition has taken place 
in this scenario. In fact, because the Internet is accessible to 
hundreds of millions of people around the world, it is not generally 
reasonable to assume that the information available on the Internet was 
not acquired. The presumption of unauthorized acquisition could likely 
only be overcome if there was forensic evidence showing that the page 
was not viewed.
---------------------------------------------------------------------------

    \57\ See NAID at 2; Patient Privacy Rights at 4-5.
---------------------------------------------------------------------------

    Third, and similar to the example above, if an employee sends a 
mass email containing an individual's unsecured PHR identifiable health 
information accidentally, and the employee immediately recalls the 
message, the Commission believes that it is highly unlikely that the 
presumption can be overcome. In contrast to a situation in which an 
employee sends a single email and immediately asks the recipient to 
delete it, once hundreds of people have received an email, the 
Commission does not believe that there can be a reasonable expectation 
that no one ``acquired'' the information.\58\
---------------------------------------------------------------------------

    \58\ See In the Matter of Eli Lilly & Co., Docket No. C-4047 
(May 8, 2002) (settlement of action in which FTC alleged that 
company failed to maintain reasonable security; employee 
inadvertently had sent mass email revealing customers' sensitive 
health information).
---------------------------------------------------------------------------

    On a related issue, the final rule provides that a breach of 
security means acquisition of information without the authorization 
``of the individual.'' Some commenters raised questions about how the 
extent of individual authorization should be determined.\59\ For 
example, if a privacy policy contains buried disclosures describing 
extensive dissemination of consumers' data, could consumers be said to 
have authorized such dissemination?
---------------------------------------------------------------------------

    \59\ See, e.g., CDT/Markle at 10; International Pharmaceutical 
Privacy Consortium at 2; SIIA at 6.
---------------------------------------------------------------------------

    The Commission believes that an entity's use of information to 
enhance individuals' experience with their PHR would be within the 
scope of the individuals' authorization, as long as such use is 
consistent with the entity's disclosures and individuals' reasonable 
expectations. Such authorized uses could include communication of 
information to the consumer, data processing, or Web design, either in-
house or through the use of service providers. Beyond such uses, the 
Commission expects that vendors of personal health records and PHR 
related entities would limit the sharing of consumers' information, 
unless the consumers exercise meaningful choice in consenting to such 
sharing. Buried disclosures in lengthy privacy policies do not satisfy 
the standard of ``meaningful choice.''\60\ The Commission will examine 
this issue further when providing input on the HHS report.
---------------------------------------------------------------------------

    \60\ See, e.g., In the Matter of Sears Management Holding Co., 
File No. 082 3099 (June 4, 2009) (accepted for public comment) 
(alleging that Sears' failure to adequately disclose its tracking 
activities violated the FTC Act, given that Sears only disclosed 
such tracking in a lengthy user license agreement, available to 
consumers at the end of a multi-step registration process); FTC 
Staff Report, ``Self-Regulatory Principles for Online Behavioral 
Advertising,'' Feb. 2009, (https://www2.ftc.gov/os/2009/02/P085400behavadreport.pdf.); FTC Publication, Dot Com Disclosures: 
Information About Online Advertising at 5 (May 2000), available at 
(https://www.ftc.gov/bcp/edu/pubs/business/ecommerce/bus41.pdf) 
(``Making [a] disclosure available. . . so that consumers who are 
looking for the information might find it doesn't meet the clear and 
conspicuous standard. . . [D]isclosures must be communicated 
effectively so that consumers are likely to notice and understand 
them.'') (emphasis in original); see also FTC Policy Statement on 
Deception, appended to In the Matter of Cliffdale Assocs., Inc., 103 
F.T.C. 110, 174 (1984), available at (https://www.ftc.gov/bcp/policystmt/ad-decept.htm) (fine print disclosures not adequate to 
cure deception).
---------------------------------------------------------------------------

(b) Business associates and (c) HIPAA-covered entities
    Proposed paragraph (b) defined ``business associate'' to mean a 
business associate under HIPAA, as defined in 45 CFR 160.103. That 
regulation, in relevant part, defines a business associate as an entity 
that handles the protected health information of a HIPAA-covered entity 
and (1) provides certain functions or activities on behalf of the 
HIPAA-covered entity or (2) provides ``legal, actuarial, accounting, 
consulting, data aggregation, management, administrative, 
accreditation, or financial services to or for'' the HIPAA-covered 
entity. Proposed paragraph (c) defined ``HIPAA-covered entity'' to mean 
a covered entity under HIPAA, as defined in 45 CFR 160.103. That 
regulation provides that a HIPAA-covered entity is a health care 
provider that conducts certain transactions in electronic form, a 
health care clearinghouse (which provides certain data processing 
services for health information), or a health plan. The Commission 
adopts these definitions without modification.
(d) Personal health record
    Proposed paragraph (d) defined a ``personal health record'' as an 
``electronic record of PHR identifiable health information on an 
individual that can be drawn from multiple sources and that is managed, 
shared, and controlled by or primarily for the individual.'' The FTC 
adopts this definition without modification.\61\
---------------------------------------------------------------------------

    \61\ In response to comments received, the Commission emphasizes 
that PHRs are managed, shared, and controlled ``by or primarily for 
the individual.'' See, e.g., AIA at 2; ACLI; Molina Healthcare at 2-
3; National Association of Mutual Insurance Companies (``NAMIC'') at 
3-4. Thus, they do not include the kinds of records managed by or 
primarily for commercial enterprises, such as life insurance 
companies that maintain such records for their own business 
purposes.
---------------------------------------------------------------------------

    Several commenters urged the FTC to cover paper records, as well as 
electronic records.\62\ Although the Commission agrees that breaches of 
data in paper form can be as harmful as breaches of such data in 
electronic form, the plain language of the Recovery Act compels the 
Commission to issue a rule

[[Page 42968]]

covering only electronic data.\63\ The Commission will examine this 
issue further when providing input on the HHS report to Congress.
---------------------------------------------------------------------------

    \62\ See supra note 19.
    \63\ See Pinero v. Jackson Hewitt Tax Service, Inc., 594 F. 
Supp. 2d 710, 716-17 (E.D. La. 2009) (dismissing plaintiff's claim 
alleging breach of paper records under Louisiana data breach 
notification law because that law covers only a breach of 
``computerized'' data).
---------------------------------------------------------------------------

(e) PHR identifiable health information
    Proposed paragraph (e) defined ``PHR identifiable health 
information'' as ```individually identifiable health information,' as 
defined in section 1171(6) of the Social Security Act (42 U.S.C. 
1320d(6)),\64\ and with respect to an individual, information (1) that 
is provided by or on behalf of the individual; and (2) that identifies 
the individual or with respect to which there is a reasonable basis to 
believe that the information can be used to identify the individual.'' 
The Commission adopts this definition without change.
---------------------------------------------------------------------------

    \64\ This provision defines ``individually identifiable health 
information'' as information that ``(1) is created or received by a 
health care provider, health plan, employer, or health care 
clearinghouse; and (2) relates to the past, present, or future 
physical or mental health or condition of an individual, the 
provision of health care to an individual, or the past, present, or 
future payment for the provision of health care to an individual.''
---------------------------------------------------------------------------

    In its NPRM, the Commission noted three points with respect to this 
definition. First, it stated that the definition of ``PHR identifiable 
health information'' includes the fact of having an account with a 
vendor of personal health records or related entity, where the products 
or services offered by such vendor or related entity relate to 
particular health conditions.\65\ The Commission retains this 
interpretation.
---------------------------------------------------------------------------

    \65\ For example, the theft of an unsecured customer list of a 
vendor of personal health records or related entity directed to AIDS 
patients or people with mental illness would require breach 
notification, even if no specific health information is contained in 
that list.
---------------------------------------------------------------------------

    Second, the Commission noted that the proposed rule would cover a 
security breach of a database containing names and credit card 
information, even if no other information was included. Several 
commenters pointed out that this approach was not supported by the 
statutory language of the Recovery Act, which defines ``PHR 
identifiable health information'' to include information that relates 
to payment only ``for the provision of health care to an individual.'' 
These commenters noted that providing PHRs to consumers does not 
constitute the ``provision of health care to an individual.''\66\ The 
Commission is persuaded that name and credit card information alone is 
not PHR identifiable health information. However, as noted above, if 
the disclosure of credit card information identifies an individual as a 
customer of a vendor of personal health records or related entity 
associated with a particular health condition, that information would 
constitute ``PHR identifiable health information.''\67\
---------------------------------------------------------------------------

    \66\ See, e.g., Intuit at 2; MasterCard at 1-3; SIIA at 10, 
Dossia at 6-7.
    \67\ The Commission also notes that, depending on the 
circumstances, the failure to secure name and credit card 
information could constitute a violation of section 5 of the FTC 
Act. See (https://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html.)
---------------------------------------------------------------------------

    Third, the Commission stated that, if there is no reasonable basis 
to believe that information can be used to identify an individual, the 
information is not ``PHR identifiable health information,'' and breach 
notification need not be provided. The Commission also stated that, if 
a breach involves information that has been ``de-identified'' under 45 
CFR 164.514(b),\68\ the Commission will deem that information to fall 
outside the scope of ``PHR identifiable health information'' and 
therefore not covered by the rule. 45 CFR 164.514(b) states that data 
is ``de-identified'' (1) if there has been a formal, documented 
analysis by a qualified statistician that the risk of re-identifying 
the individual associated with such data is ``very small,'' or (2) if 
specific identifiers about the individual, the individual's relatives, 
household members, and employers (including names, contact information, 
birth date, and zip code) are removed, and the covered entity has no 
actual knowledge that the remaining data could be used to identify the 
individual. The Commission also requested examples of other instances 
where, even though the standard for de-identification under 45 CFR 
164.514(b) is not met, there is no reasonable basis to believe that 
information is individually identifiable.
---------------------------------------------------------------------------

    \68\ This standard, which appears in the HIPAA Privacy Rule, 
creates an exemption to that Rule.
---------------------------------------------------------------------------

    The Commission received numerous comments on this issue. Some 
commenters supported the Commission's proposal that ``de-identified'' 
data not be deemed ``PHR identifiable health information.''\69\ Others 
rejected this standard as not sufficiently protective of consumers 
because, in some instances, even ``de-identified'' data can be tracked 
back to an individual.\70\
---------------------------------------------------------------------------

    \69\ See, e.g., Columbia University at 2; NACDS at 2.
    \70\ CDT/Markle at 7-8; EPIC at 6-8; Patient Privacy Rights at 
5-6.
---------------------------------------------------------------------------

    One commenter requested that the FTC similarly state that ``limited 
data sets'' under HIPAA are not ``PHR identifiable health 
information.''\71\ Under HIPAA's Privacy Rule, HIPAA-covered entities 
may use ``limited data sets'' for research, public health, or health 
care operations without individual authorization, as long as contracts 
govern the use of such data. ``Limited data sets'' do not include 
names, addresses, or account numbers; they can, however, include an 
individual's city, town, five-digit zip code, and date of birth.\72\ 
Another commenter urged the FTC to state that, if information has been 
``redacted, truncated, obfuscated, or otherwise pseudonymized,'' there 
is no reasonable basis to believe that the information can be used to 
identify the individual.\73\ Indeed, several commenters noted that 
mandating notification for breaches of data that does not include 
individual identifiers would require re-identification of individuals 
associated with such data, the process of which would expose their 
information to new security risks.\74\
---------------------------------------------------------------------------

    \71\ Minnesota Department of Health at 3.
    \72\ 45 CFR 164.514(e). De-identified data sets cannot contain 
even this information, unless a qualified statistician determines 
that such information, when combined with other data, would present 
a ``very small'' risk of re-identification.
    \73\ SIIA at 9-10.
    \74\ See, e.g., iGuard at 2; Quintiles at 2-3.
---------------------------------------------------------------------------

    With respect to ``de-identified'' data and ``limited data sets,'' 
commenters provided empirical evidence on the likelihood that such data 
could be combined with other data to identify individuals. For example, 
several commenters cited to the research of Dr. LaTanya Sweeney of 
Carnegie Mellon University, which showed that .04% of the population 
could be re-identified by combining a ``de-identified'' data set with 
other public data.\75\ In addition, Dr. Bradley Malin, Director of the 
Health Information Privacy Laboratory of Vanderbilt University, 
estimated that, using a ``limited data set,'' 68.4% of the population 
was re-identifiable.\76\ Thus, it appears that the risk of re-
identification of a ``limited data set'' is exponentially greater than 
the risk of re-identification of ``de-identified'' data.
---------------------------------------------------------------------------

    \75\ CDT/Markle at 7; Columbia University at n. 6; World Privacy 
Forum at 8.
    \76\ Health Information Privacy Laboratory at Vanderbilt 
University at 1.
---------------------------------------------------------------------------

    Based on the comments received, the Commission affirms that ``de-
identified'' data will not be deemed to be ``PHR identifiable health 
information.'' Given the small risk that such data will be re-
identified by unauthorized third parties, the Commission believes that 
the data would be more vulnerable if entities were required to re-
identify these consumers solely to provide breach notification. Thus, 
de-identified data under HHS rules will not constitute ``PHR 
identifiable health information,''

[[Page 42969]]

and therefore, if such data is breached, no notification needs to be 
provided. On the other hand, the Commission declines to adopt a blanket 
statement that ``limited data sets'' are not ``PHR identifiable health 
information'' because the risk of re-identification is too high. The 
Commission similarly declines to state that ``redacted, truncated, 
obfuscated, or otherwise pseudonymized data'' does not constitute ``PHR 
identifiable health information'' because the risk of re-identification 
will depend on the context.
    Even if a particular data set is not ``de-identified,'' however, 
entities still may be able to show, in specific instances, that there 
is no reasonable basis to identify individuals whose data has been 
breached, and thus, no need to send breach notices. For example, 
consider a Web site that helps consumers manage their medications. The 
Web site collects only email addresses, city, and medication 
information from consumers, but it keeps email addresses secured in 
accordance with HHS standards\77\ and on a separate server. It 
experiences a breach of the server containing the city and medication 
information (but no email addresses). A hacker obtains medication 
information associated with ten anonymous individuals, who live in New 
York City. In this situation, the Web site could show that, even though 
a city is revealed, thus preventing the data from being categorized as 
``de-identified,'' there is no reasonable basis for identifying the 
individuals, and no breach notification needs to be provided.
---------------------------------------------------------------------------

    \77\ As noted below, the Recovery Act requires notification only 
if ``unsecured'' data has been breached, with the term ``unsecured'' 
to be defined by HHS. HHS issued guidance on the term ``unsecured'' 
on April 17, 2009. See 74 FR 19,006. The above example assumes the 
email addresses are secured in accordance with such guidance.
---------------------------------------------------------------------------

(f) PHR related entity
    Proposed paragraph (f) defined the term ``PHR related entity'' as 
an entity that (1) offers products or services through the Web site of 
a vendor of personal health records; (2) offers products or services 
through the Web sites of HIPAA-covered